[azurerm] JSIIError when referencing FunctionApp's identity

[b-c-lucas]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

cdktf & Language Versions

• cdktf: 0.5.0
• python: 3.9.7
• providers: azurerm@~> 2.76.0, azuread@~> 2.2.1

Affected Resource(s)

azurerm -> FunctionApp.identity

Debug Output

https://gist.github.com/brad-lucas/bde4667132e37fa13fbaa93df54a55a9

Expected Behavior

Referencing the created FunctionApp's identity property returns a List[FunctionAppIdentity].

Actual Behavior

JSIIError raised:

• jsii.errors.JSIIError: Expected array type, got "${azurerm_function_app.demo_app_function_app.identity}"

Steps to Reproduce

1. Create a CDKTF stack using azurerm provider.
2. Create a new FunctionApp within the stack.
3. Try to access the FunctionApp's identity (ex.: within a TerraformOutput, or create a RoleAssignment as done in the provided gist).

References

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#attributes-reference

The identity block exports the following:
principal_id - The Principal ID for the Service Principal associated with the Managed Service Identity of this App Service.
tenant_id - The Tenant ID for the Service Principal associated with the Managed Service Identity of this App Service.
Note
You can access the Principal ID via azurerm_app_service.example.identity.0.principal_id and the Tenant ID via azurerm_app_service.example.identity.0.tenant_id

[jsteinich]

Related to #25 and #993.

At the moment you can use an escape hatch to work around. Will look something like:

role_assignment = RoleAssignment...
role_assignment.add_override("principal_id", demo_app_function_app.fqn + ".identity[0].principal_id")

In the upcoming version you'll be able to use:

...
principal_id = Fn.lookup(Fn.element(demo_app_function_app.identity, 0), "principal_id")

[b-c-lucas]

Thanks, @jsteinich! I was completely unaware of add_override, but the snippet provided isn't quite working as provided. Let me tinker and report back.

[b-c-lucas]

I was able to get the role assignment to work using code that lands somewhere in between the workaround and the core implementation (and looks like what's referenced in the azurerm_function_app docs):

RoleAssignment(
    self,
    "<role_assignment_id>",
    principal_id=f"${{{demo_app_function_app.fqn}.identity.0.principal_id}}",
    ...
)

Not perfect, but certainly a cool way to leverage HCL within Python code; hopefully this helps anyone else who might run into something similar before the aforementioned upcoming version is released.

[b-c-lucas]

@jsteinich should I close this out given I have a workaround now? Just making sure I'm playing nice... :)

Cheers!

[danieldreier]

@brad-lucas I'm glad you've got a workaround - thanks @jsteinich - but let's keep this open since this isn't really the desired behavior. Thank you for reporting this!

[DanielMSchmidt]

This is fixed via #935 you can now run demo_app_function_app.identity.identity_ids 👍

[b-c-lucas]

Hadn't had the chance to try this out, but confirmed the fix:

principal_id=Fn.element(demo_app_function_app.identity.identity_ids, 0),

[github-actions]

I'm going to lock this issue because it has been closed for 30 days. This helps our maintainers find and focus on the active issues. If you've found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.